feat(authz-keycloak): Add Keycloak Authorization Services endpoint discovery.#3263
feat(authz-keycloak): Add Keycloak Authorization Services endpoint discovery.#3263spacewander merged 23 commits intoapache:masterfrom jenskeiner:uma-discovery
Conversation
|
@sshniro: Penny for your thoughts. I have a POC in a separate branch that dynamically resolves URIs to resources defined in Keycloak, so this is just a first change in that direction. |
jenskeiner
changed the title
jenskeiner
changed the title
apisix/plugins/authz-keycloak.lua
Outdated
| local cjson = require("cjson") | ||
| local cjson_s = require("cjson.safe") |
There was a problem hiding this comment.
It is better to use the public methods provided here.https://github.com/apache/apisix/blob/master/apisix/core/json.lua
There was a problem hiding this comment.
Yep, using that one now. We're incurring a slight performance penalty by now using cjson.safe.decode through apisix.core.json.decode to decode values from the shared memory which are known to have been encoded correctly. But not sure how much of a hit that actually is. Just this line here: https://github.com/jenskeiner/apisix/blob/26277f1ea98366ac852ee6673667e1be1320001c/apisix/plugins/authz-keycloak.lua#L190
jenskeiner
changed the title
spacewander
changed the title
4 participants
What this PR does / why we need it:
The
authz-keycloakplugin needs to know the Keycloak token endpoint to use. A configuration option to point to the token endpoint is already there.Additionally, Keycloak supports discovery of Authorization Services-related endpoints, like the token endpoint, through a discovery document served under a well-known path relative to the realm, e.g.
https://keycloak-host/auth/realms/foo/.well-known/uma2-configuration.It can be convenient to use the discovery document to get the token endpoint URL, instead of specifying the token endpoint explicitly, since the URL is typically shorter. More importantly, future build out of the
authz-keycloakmay require access to additional related endpoints. In this case, just providing the single path to the discovery document would be more convenient than specifying each endpoint URL explicitly.This PR adds an attribute that allows to specify the discovery document URL and makes the token endpoint attribute optional. However, it is checked that at least one, discovery or token endpoint, is given.
The plugin now fetches the discovery document lazily and caches it in shared storage already used by the
openid-connectplugin (better: theopenidcmodule used therein) for similar purposes in the context of OIDC endpoint discovery.If both, discovery and token endpoint are given, the plugin prefers the explicit token endpoint value over the one from discovery.
Pre-submission checklist: